PPRuNe Forums - View Single Post - BA038 (B777) Thread
View Single Post
Old 19th Feb 2008, 21:52
  #160 (permalink)  
TwinAisle
Scourge of Bad Airline Management!
 
Join Date: Jul 2000
Location: Global Nomad
Age: 55
Posts: 1,093
Likes: 0
Received 0 Likes on 0 Posts
Private Eye - 22 February

Interesting article in the back pages of the Eye this issue. For those who are not familiar with the Eye, it is a satirical magazine, but the last few pages tend to be reserved for more thoughtful writing. Article below, complete:

"A Software Triple Whammy

Air accident investigators have provisionally identified the cause of last month's British Airways Boeing 777 crash at Heathrow as a failure by both engines to provide the necessary thrust of power ahead of landing, causing it to fall short of the runway.

Why both engines shoud fail to respond ro demands from the "Auto throttle" and then from the two pilots is not yet known, but investigators are looking closely at the craft's computer systems. And so they should; aircraft and computer experts warned long ago of a potentially dangerous flaw in the software driving the 400-seater's three primary flight computers (PFCs).

Until the revolutionary 777 (dubbed the "computer with wings"), every passenger jet had a failsafe "triplex" system of PFCs - three computers from three different companies with three different teams writing the software. One computer would fly the aircraft, one would monitor and take over if a problem occurred and the third would be in reserve. A mistake in one was very unlikely to be in the second, and even more unlikely in the third. Thus safety in a craft that was to take autopilot to a new level was all but guaranteed.

So it was - at first - with the 777. Boeing took its proposals for a triplex PFC to the Federal Aviation Administration (FAA) which gave approval. But then things started to unravel. Without putting the software programme out to competitive tender, Boeing appointed GEC Marconi, based in Rochester, Kent, as sole writer. GEC had three different teams of software writers, separated by "chinese walls".

According to Boeing itself, however: "It became apparent that the three separate teams were having to ask Boeing so many questions for clarification that the independence of the three teams was irreparably compromised".

So instead of hiring new teams, which would have delayed the project and may have rendered Boeing liable for penalty payments, the three teams became one. Triplex was forgotten.

The result was 132,000 lines of software code, unprecedented in aviation history, which, it seems, could not be independently checked. The then chairman of the British Computer Society's safety critical systems taskforce, Professor Brian Wichmann, told Computer Weekly magazine (which revealed the potential flaw back in 1995) that "more than 20,000 lines of code are too complex to test" and that 132,000 lines of code were impossible to verify. If a bug or glitch caused a failure during a take off or landing, the plane could crash before the pilot had time to react.

But the system was approved, not by the FAA or the British Civil Aviation Authority (CAA), but by the European Joint Airworthiness Authorities (JAA) based in Holland - by just three JAA specialists.

As the certifying authority in America , the FAA asked for more comprehensive software audits, but then accepted Boeing's argument that the lines of code had already been tested and verified so extensively that any potential for error had been ruled out.

Mary Schiavo, the former director-general at the US Department of Transportation, revealed in her book "Flying Blind, Flying Safe" that the FAA's national software expert later admitted to her: "I'm in a very embarrassing position. To say that the software is safe, I can't tell you that. I can tell you that the software development has followed our procedures". So that's all right, then.

Air accident investigators say that they are focusing on a more detailed analysis of the flight recorder information and examining systems modules and equipment that could influence engine operation.
Clearly there are elements here that don't add up. But an interesting read....
TwinAisle is offline